Saturday, April 2, 2011

Latest iptables, xtables, ipset for Ubuntu

By using Ubuntu 10.04 I am stuck with old versions of iptables, xtables and ipset (the latter is very old!) Is there a solution? Yes of course, I could compile those applications myself, but I prefer to have .deb packages managed by the good old dpkg. 


With the method descibed in this post we can get the latest version of iptables (currently 1.4.10), but what about xtables or ipset?


Well, for ipset we are out of luck. Unless we want to try the uupdate method in order to update the package to the latest version the only option remaining is to download the sources from netfilter and do the usual: 

# make && make install && make clean

This will place ipset in /usr/local/ and we - god forbid - will have to actually do a bit of sysadmin job trying to maintain the system without any yum, rpm or apt.

Inform the kernel about the new modules:

# depmod && depmod -A

Time to test ipset. I assume you still into the source directory.

# cd tests && ./

This will automatically run a bucket load of tests to check that the installation went ok. After it has finished running you should read this:

All tests are passed

... well everything went ok ;)


The version of xtables for Natty is a very recent one but it needs to be compiled as a kernel module. To do so we use module-assistant
But before, we switch both sources AND compiled packages to the release (or alpha) that has the packages we want.

# sed -i 's/deb/#deb/g' /etc/apt/sources.list
# sed -i 's/#deb/deb/g' /etc/apt/sources.list.d/latest.sources.list

Here I am assuming that you have a latest.sources.list file listing the repositories for the Ubuntu release from which you want to pull packages from (make sure you check this post if you haven't done it already.)

Now we dance: 

# aptitude update
# apt-get install xtables-addons-common
# module-assistant auto-install xtables-addons-source

OK! Now we have a newer version of xtables managed by apt, thumbs up!

Test it by jamming spammers:

# iptables -A INPUT -p tcp --dport smtp -j TARPIT

If you don't get any error iptables+xtables work!
(I do NOT recommend to leave this rule active. TARPIT should work with untracked connections only.)

Finally, remember to switch back the repositories!

# sed -i 's/#deb/deb/g' /etc/apt/sources.list
# sed -i 's/deb/#deb/g' /etc/apt/sources.list.d/latest.sources.list
# aptitude update


Useful links:

No comments:

Post a Comment